Karl.Fail

Tag: s4hana

  • CVE-2025-27429: Critical ABAP Code Injection in SAP S/4HANA via RFC

    Overview

    On April 8, 2025, SAP disclosed CVE-2025-27429, a critical vulnerability in SAP S/4HANA (Private Cloud and On-Premise editions), affecting versions S4CORE 102 through 108. This flaw enables a low-privileged attacker to inject arbitrary ABAP code via a vulnerable function module exposed through RFC (Remote Function Call). The vulnerability is classified under CWE-94: Improper Control of Generation of Code.

    Vulnerability Details

    The flaw exists in a specific RFC-enabled function module, which lacks adequate input validation and authorization checks. An attacker with valid but limited SAP user privileges can craft malicious RFC requests that inject ABAP code into the system. The injected code is then executed in the context of the system, effectively acting as a backdoor.

    This enables:

    • Full system compromise
    • Bypass of SAP authorization mechanisms
    • Arbitrary manipulation of data and processes

    Technical Breakdown

    This vulnerability has a CVSS v3.1 base score of 9.9, marking it as Critical. The CVSS vector is:

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Key attributes include:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability Impact: High

    The changed scope indicates that exploitation affects resources beyond the vulnerable function, potentially escalating the impact to broader system components.

    Understanding CWE-94

    CWE-94 refers to vulnerabilities where user-controllable inputs are used directly in dynamic code execution. In SAP systems, such vulnerabilities are particularly dangerous due to the system’s role in core business processes, and ABAP being the foundational language for many SAP applications.

    Impacted Systems

    • S/4HANA S4CORE versions 102 through 108

    Both Private Cloud and On-Premise installations are affected if they expose the vulnerable RFC module.

    Mitigation and Recommendations

    SAP recommends the following:

    • Apply the latest security patches available in SAP Note 3581961
    • Restrict RFC access to trusted sources only
    • Use SAP Code Vulnerability Analyzer to detect risky custom code
    • Enable system-wide logging and monitoring for unusual ABAP activity

    Conclusion

    CVE-2025-27429 represents a severe risk for enterprises relying on SAP S/4HANA. Given the low barrier to exploitation and the critical nature of SAP environments, immediate patching and system hardening are essential to prevent unauthorized code execution and system compromise.